Abstract
The technology of Security Information and Event Management (SIEM) becomes one of the most important research applications in the area of computer network security. The overall functionality of SIEM systems depends largely on the quality of solutions implemented at the data storage level, which is purposed for the representation of heterogeneous security events, their storage in the data repository, and the extraction of relevant data for analytical modules of SIEM systems. The paper discusses the key issues of design and implementation of a hybrid SIEM data repository, which combines relational and ontological data representations. Based on the analysis of existing SIEM systems and standards, the ontological approach is chosen as a core component of the repository, and an example of the ontological data model for vulnerabilities representation is outlined. The hybrid architecture of the repository is proposed for implementation in SIEM systems. Since the most of works on the repositories of SIEM systems is based on the relational data model, the paper focuses mainly on the ontological part of the hybrid approach. To test the repository we used the data model intended for attack modeling and security evaluation, which includes both ontological and relational dimensions.
Highlights
The technology of Security Information and Events Management (SIEM) becomes, at present, one of the most important research directions in the area of computer network security
The analysis of related works on applying ontologies for network security helped us to select the following basic directions that can be used for SIEM systems: verification of security policies, intrusion detection, vulnerability analysis, security monitoring, and forensics
López de Vergara et al [5] propose to use an ontology based on Intrusion Detection Message Exchange Format (IDMEF) to represent and share the knowledge about incidents
Summary
The technology of Security Information and Events Management (SIEM) becomes, at present, one of the most important research directions in the area of computer network security The essence of this technology is to provide an ordered collection of security log records from a variety of sources, their long- and short-term storage in a centralized data repository in a common format for modeling and analysis to detect and predict attacks, and developing countermeasures. The data repository is one of the main components of new generation SEIM systems, which is purposed to represent heterogeneous security events in uniform internal format, their storage in accordance with the previously developed data model, and supporting the extraction of relevant data for SIEM analytical modules. It can be used to represent the SIEM data with complicated relational representation Such data can be used to analyze the current security situation, model attacks, and generate countermeasures, including the analysis of historical data.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
